E3000 ~ spontaneous port forwarding IP changes

Similar Messages

• Port Forwarding to change xbox nat type

  I have wasted the last 2 hours of my life, trying to figure this out. Ill try to make it short, but bear with me.
  xbox nat type is strict. Im fed up with this. Xbox is connected wirelessly to apple base station.
  Ive heard you cant get the NAT type to open, but that you can get it to moderate, and thats what im trying to do.
  I have successfully given my xbox a static ip address, and then I have gone in and opened up ports to that ip address. A guide i was following said this would work. It made it worse, now i get kicked out randomly, which didnt happen before.
  Can ANYBODY give me or find me a step by step guide on how to get my xbox nat type from strict to moderate using leopard and an apple base station.
  a fustrated,
  -Clay

  It is probably your modem that is doubling your NAT. I would set the modem to Bridge mode. That way only the router handles network address translation.

• Use iptables on DMZ server to port forward

  Hello!
  My ISP have this great idea that we have to go to their site to do port forwarding and changing settings on the router/modem, so I was thinking to just set one of my servers as a DMZ, and do port forwarding with iptables on that server.
  The problem is that I can't find out how I can make packets coming in on one port go out to another ip in the LAN.
  Here is my network setup:
  1. Combined router, modem and wireless AP.
  2. Apple AirPort Express connected to the Wifi
  3. switch connected to the AirPort Express with ethernet.
  4. two servers connected to the switch(also with ethernet).
  the two servers have ip adress 192.168.2.3 and 192.168.2.4. And I have set up 192.168.2.3 as DMZ.
  How do I use iptables to route connections that is coming to 2.3 on a speciffic port to 2.4?

  hunterthomson wrote:
  Well, I have kind of turned into an arno-iptables-firewall fanboy. I mean really, you can read through the script in /usr/sbin/arno-iptables-firewall  Super well commented and written very well. It covers all your bases.
  You will want to use the updated package listed in the comments.
  http://dl.dropbox.com/u/1367726/arno-ip … all.tar.gz
  You will also want the SystemD Unit file
  https://aur.archlinux.org/packages/syst … -firewall/
  To do NAT and Port-Forwarding... basically just read through the whole firewall.conf and when you hit the bottom your done.
  But really, you just need to change these things.
  /etc/arno-iptables-firewall/firewall.conf
  Line #41, put your Internet facing interfaces here.
  Line #46, Probaly want to set this to '1' becuase it sounds like the server dose get it's IP from DHCP... but that is a bad idea because it needs to have the same IP all the time... so maybe leave it disabled '0'
  Line #87, Put your LAN facing interfaces here
  Line #94, Put the LAN network here, So like if your Internet facing network is 192.168.2.0/24 you could make the LAN 192.168.4.0/24
  Line #140, Change this to '1' to enable NAT for your LAN
  Line #162, Change this to '1' to enable Port-Forwarding
  Line #193-195, Here is where you define your port-forwards,
  Example: Forward TCP port 22 to host 192.168.4.55 and TCP port 80 to 192.168.4.66
  --> Line 193, NAT_FORWARD_TCP="22>192.168.4.55 80>192.168.4.66"
  Then open port 22 and 80 on the WAN side so they 'can' be forwarded.
  Line #1170, OPEN_TCP="22 80"
  You should also check out the config's in the plugins directory. This is where you get your moneys worth...
  ssh-brute-force-protection.conf
  ids-protection.conf
  traffic-shaper.conf
  ipv6-over-ipv4.conf
  traffic-accounting.conf
  transparent-proxy.conf
  multiroute.conf
  ipsec-vpn.conf
  And More !!!
  Thanks for answer. But it seems like you missed that the server is only connected to the LAN, never to the internet.

• Cannot get port forwarding to work - what am I doing wrong?

  Hi All,
  I am sure I am doing something wrong, but can't see what.   All I need to be able to do is to port forward to one of my virtual machines web port on my file server.
  So, scenario is:
  Windows 2012 R2 Server.    IP address: 10.0.0.2      I have a VM running on there called spatial - it's IP address is 10.0.0.17
  Before moving to Windows 2012 R2 server and virtualization - I had multiple servers and to port forward, simply changed the listening port of IIS to another port from standard - say 81.  Then in my router, port forwarded web traffic to port 81 on that
  server - worked like a charm.
  Now however, when I have tried to do the same thing (10.0.0.17 web server listens on port 81) - the page times out.  If I leave it at port 80 - the server2012 IIS page answers.
  I guess I need to create some sort of gateway on the 2012 server to allow traffic to flow through to port 81 on the VM - but not sure how to?  Can anyone help?  Is there a simple walk through guide someone has written in order to achieve this -
  as I am sure is a very common request.  I have googled, but can't find exactly what I am looking for.
  thanks.

  Hi,
  The Hyper-V 2012r2 virtual switch have the extension security ability, please use the following PowerShell cmdlet to confirm your IIS vm virtual switch not enable the related
  security settings:
  Get-VMSwitchExtension -VMSwitchName "virtual switch name"
  =================================================
  For example:
  Get-VMSwitchExtension -VMSwitchName "External network MSFT"
  Id                 
  : EA24CD6C-D17A-4348-9190-09F0D5BE83DD
  Name               
  : Microsoft NDIS Capture
  Vendor             
  : Microsoft
  Version            
  : 6.3.9600.16384
  ExtensionType      
  : Monitoring
  ParentExtensionId  
  ParentExtensionName :
  SwitchId           
  : 0686a779-c79c-4fd0-9971-f9eb330ca089
  SwitchName         
  : External network MSFT
  Enabled            
  : False
  Running            
  : False
  ComputerName     
    : SERVERLAB-02
  Key                
  IsDeleted          
  : False
  Id                 
  : E7C3B2F0-F3C5-48DF-AF2B-10FED6D72E7A
  Name               
  : Microsoft Windows Filtering Platform
  Vendor             
  : Microsoft
  Version            
  : 6.3.9600.17042
  ExtensionType      
  : Filter
  ParentExtensionId  
  ParentExtensionName :
  SwitchId           
  : 0686a779-c79c-4fd0-9971-f9eb330ca089
  SwitchName         
  : External network MSFT
  Enabled            
  : True
  Running            
  : True
  ComputerName       
  : SERVERLAB-02
  Key                
  IsDeleted          
  : False
  ===================================================
  The related KB:
  Create Security Policies with Extended Port Access Control Lists for Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn375962.aspx
  Enabling Hyper-V Extensible Switch Extensions
  http://msdn.microsoft.com/en-us/library/windows/hardware/hh598144(v=vs.85).aspx
  Enumerating Hyper-V Extensible Switch Extensions
  http://msdn.microsoft.com/en-us/library/windows/hardware/hh598146(v=vs.85).aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Port Forwarding Changes Not Saving

  Im trying to open up some ports on my e3000 for the use of Teamspeak and my Teamspeak server. However when i get of the information filled into the single port forwarding under the Gaming & Applications tab, and click save settings. The page just refreshes, with none of the changes being saved. Anyone run into this problem and find a solution??? Any help would be great.
  Thanks

  greencross wrote:
  Yep. Try clearing your cache / cookies then re-do the configuration. If that doesn't help, use a different browser. I use IE / Firefox / Safari to configure my router. Chrome and Opera seems to run into some issues for me.
  I agree but Safari too has some issues at times.  Firefox and IE would be your best bet.  and yeah, if that doesn't work, reset the router then powercycle then try again.
  "Don't fix it if it ain't broken."

• Linksys E1200 Router not saving Port Forwarding changes

  Hi!
  I am currently attempting to port forward on my Linksys E1200 Router and am not succeeding in saving my settings. I am attempting to open port 25565 though both Single Port Forwarding and Port Range Forwarding, and whenever I click the "save settings" button, I receive a full window message stating that my changes have been saved. Upon clicking this, I return to the previous screen whereupon my changes have been erased and my port has not been forwarded. Can anyone assist me with this? I've searched for hours through forums and tech help websites, but I can't find anyone else with this issue.
  Issue:
  Linksys E1200 Router not saving Port Forwarding changes.
  I have tried:
  -Restarting the Modem
  -Restarting the browser
  -Restarting the computer
  -Tried to Port Forward through both the Single and Ranged Port Forwarding

  Hi there. You can try another browser or a different computer. If it is the same thing, upgrade the firmware of the router. You can refer to this link on how to http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&docid=0a6881b90224439b92c8d8f19ca42e5d_21511.xml&pid=80&...

• IP changes on port forwarding

  I set up port forwarding, port 80 to 192.168.1.4
  Port forwarding works fine.
  After a day or so 192.168.1.4 changes to various IPs. such as
  8.15.17.117, and 63.251.179.13 both will be listed.
  Port forwarding stops working.
  I click <resolve now> and it changes back to 192.168.1.4
  and starts working again. But will change back after a day.
  How can I keep this from happening?

  #1 What is the exact brand and model of your router?
  #2 If you are not on FIOS, what is the brand and model of your modem?
  If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

• I need help changing settings (port forward?) after a physical server move

  Hi! I have a 10.6 server that I use at home. All is well and good there. The Airport Extreme assigns IP addresses for the network. I have www.mydomain.com that runs on the server -- I use it for testing web apps, etc. I use DynDNS with their client app that send the Comcast dynamic IP address back to DynDNS to keep the server on the grid.
  My friend has a 10.6 server. He has www.hisdomain.com as a home business. He also uses DynDNS in a similar way. His landlord just informed him that his apartment is going to be sold from underneath him and he has to move ASAP. It looks like he won't have a permanent place for a month or two, so I offered to let him keep his server at my place.
  We both run websites on port 443 and port 80.
  After attaching his server to my network, his domain name updates, but typing www.hisdomain.com into a browser lands me on www.mydomain.com. I guess that the problem is port forwarding... the router sends all 443 and 80 requests to my server.
  How do I configure this so that services for hisdomain.com are forwarded to his server while services for mydomain.com are forwarded to my server?

  Short answer: you can't, although there are a couple of ways to sort-of kluge it.
  Long answer: When your router gets an incoming connection, the only thing it has to go on is the IP address and port number (the domain name is sent much later, after TCP session with the server is established). So unless you have multiple public IP addresses (and a router that can handle them), or want to put the sites on different ports...
  Speaking of which, here's kluge #1: run his server on different ports (e.g. 81 and 444, or maybe 8080 and 8043) and set the router to forward them to his server. Problem: the user has to include the port number in the URL when they connect, or they'll get your server.
  Partial solution (and kluge #2): add a virtual site on your server, with the hostname www.hisdomain.com, go to its Aliases section, and add a rule in the URL Aliases & Redirects section, with these settings:
  Type: RedirectMatch
  Pattern: (.*)$
  Path: http://www.hisdomain.com:81$1
  Then build an SSL version that redirects to https://www.hisdomain.com:444$1. Problem: when the client connects, they'll get your SSL certificate instead of his (again, it happens before the client sends the domain name it's trying to reach), and get a cert error. No fix for this.
  Kluge #3: instead of making the virtual site redirect clients to his server, add a reverse proxy so your server'll transparently forward requests to his server, and proxy the replies. I haven't done this, but I think what you need to do is make a virtual site (as above), and under its Proxy tab (the one under the virtual site, not the one under the Settings section), check the Enable Reverse Proxy box, leave the Proxy Path as "/" and the Sticky Session Identifier field blank, and add a Balancer member with the Server URL "http://hisinternalipaddress" and a blank Route. Or something like that. Again, you could do the same for https as well, but you'll have the same certificate problem.

• I am trying to setup port forwarding

  I am trying to setup port forwarding for a mfi 5510l hotspot. I have made the changes on the hotspot but the hotspot doen't respond when tested. Can anyone help?

  If you examine the About section of the Jetpack’s web style user interface, you should find that it has a reserved IP4 IP address. That means your Jetpack doesn’t connect directly to the public internet, your Jetpack is connected to Verizon’s private network. Your port forwarding has no affect on Verizon’s private network.
  The standard recommendation is:
  Purchase a public facing static IP address from Verizon for a one time fee of $500.
  Use a VPN to go around the issue. 
  Use another ISP that provides a static IP address.

• How do you set up Port Forwarding for ARD 2.2 in AEB N?

  Help,
  I'm a novice at Apple Remote Desktop (ARD) - not an IT guy, so it has to be pretty basic and detailed.
  How do you set up Port Forwarding for ARD 2.2 on the Apple Airport Extreme BS router, 802.11 N. I have one at each end of the internet connection. At one end I have an Airport Extreme N router with 2 macs and eventually 1 windows XP machine (if I can) that I would like to be able to connect to over the interenet (the clients) and at the other end, I have a Mac with ARD 2.2 installed also with an Airport Extreme N router. Note: Both routers use Static IP addresses and all computers use static IP's internally not through DHCP. What are the settings or directions to do this.
  I have read and printed out the directions for Configuration of ARD 3.0 that are posted many times in the ARD discusion group, but it uses a Linksys router ( http://www.starkpr.com/ard.htm posted by Dave Sawyer). The Mac router is different, particularly with the place to set a Private IP address. I'm not sure about alot of things, but especially about the Private IP address, what number do I set it to, the one that is in my Network connections list? It automatically changes to a different number in AE N setup for Port Forwarding (by one) as if it is not suppose to the same?????
  Are there any directions available that are as straight forward for the Airport Extreme N router, as the one's that are listed here for the Linksys Router's? ( http://www.starkpr.com/ard.htm )
  Any and All help will be greatly appreciated.
  P.S. I know I should have 3.0 but bought 2.2 just weeks before 3.0 came out and they would not give me an upgrade price, so I'm waiting for 4.0 to upgrade.
  Thanks,
  Jim

  Try the following for each AirPort Extreme ...
  AEBSn - Port Mapping Setup
  To setup port mapping on an 802.11n AirPort Extreme Base Station (AEBSn), either connect to the AEBSn's wireless network or temporarily connect directly, using an Ethernet cable, to one of the LAN port of the AEBSn, and then use the AirPort Utility, in Manual Setup, to make these settings:
  1. Reserve a DHCP-provided IP address for the host device.
  Internet > DHCP tab
  o On the DHCP tab, click the "+" (Add) button to enter DHCP Reservations.
  o Description: <enter the desired description of the host device>
  o Reserve address by: MAC Address
  o Click Continue.
  o MAC Address: <enter the MAC (what Apple calls Ethernet ID if you are using wired or AirPort ID if wireless) hardware address of the host computer>
  o IPv4 Address: <enter the desired IP address>
  o Click Done.
  2. Setup Port Mapping on the AEBSn.
  Advanced > Port Mapping tab
  o Click the "+" (Add) button
  o Service: <choose the appropriate service from the Service pop-up menu>
  o Public UDP Port(s): 3283
  o Public TCP Port(s): 3283
  o Private IP Address: <enter the IP address of the host server>
  o Private UDP Port(s): 3283
  o Private TCP Port(s): 3283
  o Click "Continue"
  o Click the "+" (Add) button
  o Service: <choose the appropriate service from the Service pop-up menu>
  o Public UDP Port(s):
  o Public TCP Port(s): 5900
  o Private IP Address: <enter the IP address of the host server>
  o Private UDP Port(s):
  o Private TCP Port(s): 5900
  o Click "Continue"
  o Click the "+" (Add) button
  o Service: <choose the appropriate service from the Service pop-up menu>
  o Public UDP Port(s):
  o Public TCP Port(s): 5988
  o Private IP Address: <enter the IP address of the host server>
  o Private UDP Port(s):
  o Private TCP Port(s): 5988
  o Click "Continue"
  (ref: "Well Known" TCP and UDP ports used by Apple software products)

• Please Help - Only Some Port Forwards Working

  Hi all,
  I have the most annoying issue with a Cisco 887VA-K9 port forwarding. Some port work while other don’t and I just can’t see why, however I suspect it is a zone based firewall (ZBF) issue.
  Port forwards on the follow ports all work fine:
  External port 8021 to 192.168.4.253 on port 80 works
  External port 8022 to 192.168.4.253 on port 8022 works
  All the rest don’t. I also have SIP phones sitting outside the LAN which are unable to register through the internet with the PBX unit which is in the DMZ network 192.168.4..0
  Any help would be great appreciated as this sending me mad. Fully running config below.
  Louise ;-)
  Building configuration...
  Current configuration : 36870 bytes
  ! Last configuration change at 12:49:03 Magadan Fri Nov 8 2013 by cpadmin
  version 15.1
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname QQQ_ADSL_Gateway
  boot-start-marker
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  logging buffered 64000
  enable secret 4 gim.lMOdQK/21R4Wu.QJfOMAv3CIkRyN.hbSTG5xAxE
  aaa new-model
  aaa authentication login local_authen local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authorization exec local_author local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa session-id common
  memory-size iomem 10
  clock timezone Magadan 11 0
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-3471381936
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3471381936
  revocation-check none
  rsakeypair TP-self-signed-3471381936
  crypto pki trustpoint test_trustpoint_config_created_for_sdm
  subject-name [email protected]
  revocation-check crl
  crypto pki certificate chain TP-self-signed-3471381936
  certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33343731 33383139 3336301E 170D3132 30373132 31313332
    34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373133
    38313933 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100AB76 5F7EE03F 306F52A0 91E82E04 7A69528D 1839409C 55BCC55A 47F180A9
    7B522E9B FBB96A32 715178FE B96B737E 788947A4 CF4791AA 15609E37 A3F66F07
    AD1B8A34 A2877711 E33A613D 8E50AE40 A106DE9C B2B03B95 73392ADB 4BB51FAD
    6F2D6F8D A90BA0B5 BD1A209C F54126A9 2E2FF5B7 85041B7E C72032C0 CECE7F79
    51550203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 141713AB B7F927E5 50C242DF 9912C3B6 61D93313 80301D06
    03551D0E 04160414 1713ABB7 F927E550 C242DF99 12C3B661 D9331380 300D0609
    2A864886 F70D0101 05050003 81810099 8EBE5630 2E6734A8 4D2FD0A5 F09A98F8
    9E49125F AECEF4BB E0DEBB3A 1A449E38 99B02114 7EC84845 B53C2F88 046B7290
    AE44967A 8BE20F5E 9D4A1CFC E1F64FE8 59F51892 23B88B4E 3416808A 68E65660
    644C7DA0 E3A7A525 14FE8E54 67C35F8E CF69EB40 34DFB13D EA302F66 102C822A
    3D7107BA AA4E7273 1D43690E C4A5D4
                  quit
  crypto pki certificate chain test_trustpoint_config_created_for_sdm
  no ip source-route
  ip dhcp excluded-address 192.168.0.230 192.168.0.255
  ip dhcp excluded-address 192.168.0.1 192.168.0.200
  ip dhcp pool QQQ_LAN
  import all
  network 192.168.0.0 255.255.255.0
  default-router 192.168.0.254
  dns-server 192.168.0.6 202.1.161.36
  netbios-name-server 192.168.0.6
  domain-name QQQ.Local
  lease 3
  ip cef
  no ip bootp server
  ip domain name QQQ.Local
  ip name-server 192.168.0.6
  ip name-server 202.1.161.37
  ip name-server 202.1.161.36
  ip inspect log drop-pkt
  no ipv6 cef
  parameter-map type inspect global
  log dropped-packets enable
  parameter-map type protocol-info yahoo-servers
  server name scs.msg.yahoo.com
  server name scsa.msg.yahoo.com
  server name scsb.msg.yahoo.com
  server name scsc.msg.yahoo.com
  server name scsd.msg.yahoo.com
  server name cs16.msg.dcn.yahoo.com
  server name cs19.msg.dcn.yahoo.com
  server name cs42.msg.dcn.yahoo.com
  server name cs53.msg.dcn.yahoo.com
  server name cs54.msg.dcn.yahoo.com
  server name ads1.vip.scd.yahoo.com
  server name radio1.launch.vip.dal.yahoo.com
  server name in1.msg.vip.re2.yahoo.com
  server name data1.my.vip.sc5.yahoo.com
  server name address1.pim.vip.mud.yahoo.com
  server name edit.messenger.yahoo.com
  server name messenger.yahoo.com
  server name http.pager.yahoo.com
  server name privacy.yahoo.com
  server name csa.yahoo.com
  server name csb.yahoo.com
  server name csc.yahoo.com
  parameter-map type protocol-info aol-servers
  server name login.oscar.aol.com
  server name toc.oscar.aol.com
  server name oam-d09a.blue.aol.com
  parameter-map type protocol-info msn-servers
  server name messenger.hotmail.com
  server name gateway.messenger.hotmail.com
  server name webmessenger.msn.com
  password encryption aes
  license udi pid CISCO887VA-K9 sn FGL162321CT
  object-group service MAIL-PORTS
  description QQQ User Mail Restrictions
  tcp eq smtp
  tcp eq pop3
  tcp eq 995
  tcp eq 993
  udp lt rip
  udp lt domain
  tcp eq telnet
  udp lt ntp
  udp lt tftp
  tcp eq ftp
  tcp eq domain
  tcp eq 5900
  tcp eq ftp-data
  tcp eq 3389
  tcp eq 20410
  object-group network Network1
  description QQQ Management Network
  192.168.1.0 255.255.255.0
  192.168.4.0 255.255.255.0
  192.168.5.0 255.255.255.0
  192.168.7.0 255.255.255.0
  192.168.8.0 255.255.255.0
  range 192.168.0.200 192.168.0.254
  range 192.168.0.1 192.168.0.25
  object-group network Network2
  description QQQ User Network
  192.168.2.0 255.255.255.0
  192.168.3.0 255.255.255.0
  192.168.6.0 255.255.255.0
  range 192.168.0.26 192.168.0.199
  object-group network QQQ.Local
  description QQQ_Domain
  192.168.0.0 255.255.255.0
  192.168.1.0 255.255.255.0
  192.168.2.0 255.255.255.0
  192.168.3.0 255.255.255.0
  192.168.4.0 255.255.255.0
  192.168.5.0 255.255.255.0
  192.168.6.0 255.255.255.0
  192.168.8.0 255.255.255.0
  192.168.7.0 255.255.255.0
  192.168.10.0 255.255.255.0
  10.1.0.0 255.255.0.0
  object-group network QQQ_Management_Group
  description QQQ I.T. Devices With UnRestricted Access
  range 192.168.0.200 192.168.0.254
  range 192.168.0.1 192.168.0.25
  192.168.1.0 255.255.255.0
  192.168.8.0 255.255.255.0
  192.168.7.0 255.255.255.0
  192.168.5.0 255.255.255.0
  192.168.4.0 255.255.255.0
  10.1.0.0 255.255.0.0
  192.168.10.0 255.255.255.0
  10.8.0.0 255.255.255.0
  192.168.9.0 255.255.255.0
  192.168.100.0 255.255.255.0
  192.168.20.0 255.255.255.0
  192.168.21.0 255.255.255.0
  192.168.22.0 255.255.255.0
  192.168.23.0 255.255.255.0
  object-group network QQQ_User_Group
  description QQQ I.T. Devices WIth Restricted Access
  range 192.168.0.26 192.168.0.199
  192.168.2.0 255.255.255.0
  192.168.3.0 255.255.255.0
  192.168.6.0 255.255.255.0
  object-group service WEB
  description QQQ User Web Restrictions
  tcp eq www
  tcp eq 443
  tcp eq 8080
  tcp eq 1863
  tcp eq 5190
  username cpadmin privilege 15 password 7 1406031A2C172527
  username QQQVPN privilege 15 secret 4 Hk2tP2GgJ1xXtJUqIZr4gmNSgw6q1E.rvzWiYnDAZHU
  controller VDSL 0
  ip tcp synwait-time 10
  no ip ftp passive
  class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
  match access-group 118
  class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
  match access-group 121
  class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
  match access-group 120
  class-map type inspect imap match-any ccp-app-imap
  match  invalid-command
  class-map type inspect match-any ccp-cls-protocol-p2p
  match protocol edonkey signature
  match protocol gnutella signature
  match protocol kazaa2 signature
  match protocol fasttrack signature
  match protocol bittorrent signature
  class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
  match access-group 122
  class-map type inspect match-all SDM_GRE
  match access-group name SDM_GRE
  class-map type inspect match-any CCP_PPTP
  match class-map SDM_GRE
  class-map type inspect match-any SDM_AH
  match access-group name SDM_AH
  class-map type inspect match-any ccp-skinny-inspect
  match protocol skinny
  class-map type inspect match-any SDM_ESP
  match access-group name SDM_ESP
  class-map type inspect match-any SDM_VPN_TRAFFIC
  match protocol isakmp
  match protocol ipsec-msft
  match class-map SDM_AH
  match class-map SDM_ESP
  class-map type inspect match-all SDM_VPN_PT
  match access-group 117
  match class-map SDM_VPN_TRAFFIC
  class-map type inspect match-any ccp-cls-insp-traffic
  match protocol pptp
  match protocol dns
  match protocol ftp
  match protocol https
  match protocol icmp
  match protocol imap
  match protocol pop3
  match protocol netshow
  match protocol shell
  match protocol realmedia
  match protocol rtsp
  match protocol smtp
  match protocol sql-net
  match protocol streamworks
  match protocol tftp
  match protocol vdolive
  match protocol tcp
  match protocol udp
  class-map type inspect match-all ccp-insp-traffic
  match class-map ccp-cls-insp-traffic
  class-map type inspect match-any SDM_IP
  match access-group name SDM_IP
  class-map type inspect gnutella match-any ccp-app-gnutella
  match  file-transfer
  class-map type inspect match-any SDM_HTTP
  match access-group name SDM_HTTP
  class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
  match protocol isakmp
  match protocol ipsec-msft
  match class-map SDM_AH
  match class-map SDM_ESP
  class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
  match class-map SDM_EASY_VPN_SERVER_TRAFFIC
  class-map type inspect match-all sdm-cls-http
  match access-group name dmz-traffic
  match protocol http
  class-map type inspect match-any Telnet
  match protocol telnet
  class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
  match  service any
  class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
  match  service any
  class-map type inspect match-any ccp-h323nxg-inspect
  match protocol h323-nxg
  class-map type inspect match-any ccp-cls-icmp-access
  match protocol icmp
  match protocol tcp
  match protocol udp
  class-map type inspect match-any ccp-cls-protocol-im
  match protocol ymsgr yahoo-servers
  match protocol msnmsgr msn-servers
  match protocol aol aol-servers
  class-map type inspect aol match-any ccp-app-aol-otherservices
  match  service any
  class-map type inspect match-all ccp-protocol-pop3
  match protocol pop3
  class-map type inspect match-any ccp-h225ras-inspect
  match protocol h225ras
  class-map type inspect match-any FIREWALL_EXCEPTIONS_CLASS
  match access-group name FIREWALL_EXCEPTIONS_ACL
  class-map type inspect match-any ccp-h323annexe-inspect
  match protocol h323-annexe
  class-map type inspect match-any SDM_EASY_VPN_CTCP_SERVER_PT
  match access-group 102
  match access-group 103
  match access-group 104
  match access-group 105
  match access-group 106
  match access-group 107
  match access-group 108
  match access-group 109
  match access-group 110
  match access-group 111
  match access-group 112
  match access-group 113
  match access-group 114
  match access-group 115
  class-map type inspect match-any SIP
  match protocol sip
  class-map type inspect pop3 match-any ccp-app-pop3
  class-map type inspect match-any SDM_HTTPS
  match access-group name SDM_HTTPS
  class-map type inspect sip match-any ccp-cls-sip-pv-2
  match  protocol-violation
  class-map type inspect kazaa2 match-any ccp-app-kazaa2
  match  file-transfer
  class-map type inspect match-all ccp-protocol-p2p
  match class-map ccp-cls-protocol-p2p
  class-map type inspect match-all ccp-cls-ccp-permit-1
  match access-group name ETS1
  class-map type inspect match-any ccp-h323-inspect
  match protocol h323
  class-map type inspect msnmsgr match-any ccp-app-msn
  match  service text-chat
  class-map type inspect ymsgr match-any ccp-app-yahoo
  match  service text-chat
  class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
  match access-group name ETS
  class-map type inspect match-all ccp-protocol-im
  match class-map ccp-cls-protocol-im
  class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2
  match class-map Telnet
  match access-group name Telnet
  class-map type inspect match-all ccp-icmp-access
  match class-map ccp-cls-icmp-access
  class-map type inspect match-all ccp-invalid-src
  match access-group 100
  class-map type inspect http match-any ccp-app-httpmethods
  match  request method bcopy
  match  request method bdelete
  match  request method bmove
  match  request method bpropfind
  match  request method bproppatch
  match  request method connect
  match  request method copy
  match  request method delete
  match  request method edit
  match  request method getattribute
  match  request method getattributenames
  match  request method getproperties
  match  request method index
  match  request method lock
  match  request method mkcol
  match  request method mkdir
  match  request method move
  match  request method notify
  match  request method options
  match  request method poll
  match  request method propfind
  match  request method proppatch
  match  request method put
  match  request method revadd
  match  request method revlabel
  match  request method revlog
  match  request method revnum
  match  request method save
  match  request method search
  match  request method setattribute
  match  request method startrev
  match  request method stoprev
  match  request method subscribe
  match  request method trace
  match  request method unedit
  match  request method unlock
  match  request method unsubscribe
  class-map type inspect match-any ccp-dmz-protocols
  match user-group qqq
  match protocol icmp
  match protocol http
  class-map type inspect edonkey match-any ccp-app-edonkey
  match  file-transfer
  match  text-chat
  match  search-file-name
  class-map type inspect match-any ccp-sip-inspect
  match protocol sip
  class-map type inspect match-all sdm-cls-sip
  match access-group name dmz-traffic
  match protocol sip
  class-map type inspect match-all ccp-dmz-traffic
  match access-group name dmz-traffic
  match class-map ccp-dmz-protocols
  class-map type inspect http match-any ccp-http-blockparam
  match  request port-misuse im
  match  request port-misuse p2p
  class-map type inspect edonkey match-any ccp-app-edonkeydownload
  match  file-transfer
  class-map type inspect match-all ccp-protocol-imap
  match protocol imap
  class-map type inspect aol match-any ccp-app-aol
  match  service text-chat
  class-map type inspect edonkey match-any ccp-app-edonkeychat
  match  search-file-name
  match  text-chat
  class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
  match class-map SIP
  match access-group name SIP
  class-map type inspect fasttrack match-any ccp-app-fasttrack
  match  file-transfer
  class-map type inspect http match-any ccp-http-allowparam
  match  request port-misuse tunneling
  class-map type inspect match-all ccp-protocol-http
  match protocol http
  policy-map type inspect ccp-permit-icmpreply
  class type inspect ccp-icmp-access
    inspect
  class class-default
    pass
  policy-map type inspect p2p ccp-action-app-p2p
  class type inspect edonkey ccp-app-edonkeychat
    log
    allow
  class type inspect edonkey ccp-app-edonkeydownload
    log
    allow
  class type inspect fasttrack ccp-app-fasttrack
    log
    allow
  class type inspect gnutella ccp-app-gnutella
    log
    allow
  class type inspect kazaa2 ccp-app-kazaa2
    log
    allow
  policy-map type inspect PF_OUT_TO_IN
  class type inspect FIREWALL_EXCEPTIONS_CLASS
    pass
  policy-map type inspect PF_IN_TO_OUT
  class type inspect FIREWALL_EXCEPTIONS_CLASS
    pass
  policy-map type inspect im ccp-action-app-im
  class type inspect aol ccp-app-aol
    log
    allow
  class type inspect msnmsgr ccp-app-msn
    log
    allow
  class type inspect ymsgr ccp-app-yahoo
    log
    allow
  class type inspect aol ccp-app-aol-otherservices
    log
    reset
  class type inspect msnmsgr ccp-app-msn-otherservices
    log
    reset
  class type inspect ymsgr ccp-app-yahoo-otherservices
    log
    reset
  policy-map type inspect http ccp-action-app-http
  class type inspect http ccp-http-blockparam
    log
    reset
  class type inspect http ccp-app-httpmethods
    log
    reset
  class type inspect http ccp-http-allowparam
    log
    allow
  policy-map type inspect imap ccp-action-imap
  class type inspect imap ccp-app-imap
    log
  policy-map type inspect pop3 ccp-action-pop3
  class type inspect pop3 ccp-app-pop3
    log
  policy-map type inspect ccp-inspect
  class type inspect ccp-protocol-http
    inspect
    service-policy http ccp-action-app-http
  class type inspect ccp-protocol-imap
    inspect
    service-policy imap ccp-action-imap
  class type inspect ccp-protocol-pop3
    inspect
    service-policy pop3 ccp-action-pop3
  class type inspect ccp-protocol-p2p
    inspect
    service-policy p2p ccp-action-app-p2p
  class type inspect ccp-protocol-im
    inspect
    service-policy im ccp-action-app-im
  class type inspect ccp-insp-traffic
    inspect
  class type inspect ccp-sip-inspect
    inspect
  class type inspect ccp-h323-inspect
    inspect
  class type inspect ccp-h323annexe-inspect
    inspect
  class type inspect ccp-h225ras-inspect
    inspect
  class type inspect ccp-h323nxg-inspect
    inspect
  class type inspect ccp-skinny-inspect
    inspect
  class type inspect ccp-invalid-src
    drop log
  class class-default
    drop
  policy-map type inspect ccp-permit
  class type inspect SDM_VPN_PT
    pass
  class type inspect ccp-cls-ccp-permit-1
    pass
  class type inspect SDM_EASY_VPN_SERVER_PT
    pass
  class type inspect SDM_EASY_VPN_CTCP_SERVER_PT
    inspect
  class class-default
    drop
  policy-map type inspect sip ccp-app-sip-2
  class type inspect sip ccp-cls-sip-pv-2
    allow
  policy-map type inspect ccp-permit-dmzservice
  class type inspect ccp-cls-ccp-permit-dmzservice-1
    pass
  class type inspect ccp-dmz-traffic
    inspect
  class type inspect sdm-cls-http
    inspect
    service-policy http ccp-action-app-http
  class type inspect sdm-cls-VPNOutsideToInside-1
    inspect
  class type inspect sdm-cls-VPNOutsideToInside-2
    inspect
  class type inspect sdm-cls-VPNOutsideToInside-3
    pass
  class class-default
    pass
  policy-map type inspect ccp-pol-outToIn
  class type inspect ccp-cls-ccp-pol-outToIn-1
    pass
  class type inspect ccp-cls-ccp-pol-outToIn-2
    pass
  class type inspect CCP_PPTP
    pass
  class type inspect sdm-cls-VPNOutsideToInside-1
    inspect
  class type inspect sdm-cls-VPNOutsideToInside-2
    inspect
  class type inspect sdm-cls-VPNOutsideToInside-3
    pass
  class type inspect sdm-cls-VPNOutsideToInside-4
    inspect
  class class-default
    drop log
  policy-map type inspect sdm-permit-ip
  class type inspect SDM_IP
    pass
  class type inspect sdm-cls-VPNOutsideToInside-2
    inspect
  class type inspect sdm-cls-VPNOutsideToInside-3
    pass
  class type inspect sdm-cls-VPNOutsideToInside-4
    inspect
  class class-default
    drop log
  zone security dmz-zone
  zone security in-zone
  zone security out-zone
  zone security ezvpn-zone
  zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
  service-policy type inspect ccp-permit-dmzservice
  zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
  service-policy type inspect ccp-pol-outToIn
  zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
  service-policy type inspect ccp-permit-dmzservice
  zone-pair security ccp-zp-self-out source self destination out-zone
  service-policy type inspect ccp-permit-icmpreply
  zone-pair security dmz-to-in source dmz-zone destination in-zone
  service-policy type inspect ccp-permit-icmpreply
  zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-in-ezvpn1 source dmz-zone destination ezvpn-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination dmz-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-ezvpn-in3 source ezvpn-zone destination ezvpn-zone
  service-policy type inspect sdm-permit-ip
  crypto ctcp port 10000 1723 6299
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp policy 2
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key 6 PbKM_WfaCM[hYNXAFOUgCNgCB_ZdJEAAB address 220.245.109.219
  crypto isakmp key 6 NddQRR[O^KY`GRDC[VZUEPE`CSJ^CDAAB address 0.0.0.0 0.0.0.0
  crypto isakmp client configuration group QQQ
  key 6 UWVBhb`Lgc_AZbDYWDFZiGZTTadNYTAAB
  dns 192.168.0.6 202.1.161.36
  wins 192.168.0.6
  domain QQQ.Local
  pool SDM_POOL_1
  include-local-lan
  max-users 20
  max-logins 1
  netmask 255.255.255.0
  banner ^CCWelcome to QQQ VPN!!!!1                 ^C
  crypto isakmp profile ciscocp-ike-profile-1
     match identity group QQQ
     client authentication list ciscocp_vpn_xauth_ml_1
     isakmp authorization list ciscocp_vpn_group_ml_1
     client configuration address initiate
     client configuration address respond
     keepalive 10 retry 2
     virtual-template 1
  crypto ipsec transform-set ESP_AES_SHA esp-aes 256 esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set security-association idle-time 43200
  set transform-set ESP_AES_SHA
  set isakmp-profile ciscocp-ike-profile-1
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to220.245.109.219
  set peer 220.245.109.219
  set transform-set ESP-3DES-SHA
  match address 119
  interface Loopback0
  description QQQ_VPN
  ip address 192.168.9.254 255.255.255.0
  interface Null0
  no ip unreachables
  interface Ethernet0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  shutdown
  no fair-queue
  interface ATM0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  no atm ilmi-keepalive
  interface ATM0.1 point-to-point
  description Telekom_ADSL
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  zone-member security out-zone
  pvc 8/35
    pppoe-client dial-pool-number 1
  interface FastEthernet0
  description QQQ_LAN-VLAN_1
  switchport access vlan 1
  no ip address
  interface FastEthernet1
  description QQQ_LAN-VLAN_1
  no ip address
  interface FastEthernet2
  description QQQ_WAN-VLAN_2
  switchport access vlan 2
  no ip address
  interface FastEthernet3
  description QQQ_DMZ-IP_PBX-VLAN_3
  switchport access vlan 3
  no ip address
  interface Virtual-Template1 type tunnel
  description QQQ_Easy_VPN
  ip unnumbered Loopback0
  ip nat inside
  ip virtual-reassembly in
  zone-member security ezvpn-zone
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  description QQQ_LAN-VLAN1$FW_INSIDE$
  ip address 192.168.0.254 255.255.255.0
  ip access-group QQQ_ACL in
  ip mask-reply
  ip nat inside
  ip virtual-reassembly in
  zone-member security in-zone
  ip tcp adjust-mss 1412
  interface Vlan2
  description QQQ_WAN-VLAN2$FW_INSIDE$
  ip address 192.168.5.254 255.255.255.0
  ip access-group QQQ_ACL in
  ip mask-reply
  ip nat inside
  ip virtual-reassembly in
  zone-member security in-zone
  ip tcp adjust-mss 1412
  interface Vlan3
  description QQQ_IP-PBX_WAN-VLAN3
  ip address 192.168.4.254 255.255.255.0
  ip mask-reply
  ip nat inside
  ip virtual-reassembly in
  zone-member security dmz-zone
  interface Vlan4
  description VLAN4 - 192.168.20.xxx (Spare)
  ip address 192.168.20.253 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  zone-member security in-zone
  interface Dialer0
  description ATM Dialer
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  zone-member security out-zone
  no cdp enable
  interface Dialer2
  description $FW_OUTSIDE$
  ip address negotiated
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip mtu 1452
  ip nbar protocol-discovery
  ip flow ingress
  ip flow egress
  ip nat outside
  ip virtual-reassembly in
  zone-member security out-zone
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname xxxxxxxxxxxxxxxxxxx
  ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
  ppp pap sent-username xxxxxxxxxx0 password 7 xxxxxxxxxxxxxxxxxxxxx
  no cdp enable
  crypto map SDM_CMAP_1
  router rip
  version 2
  redistribute static
  passive-interface ATM0
  passive-interface ATM0.1
  passive-interface Dialer0
  passive-interface Dialer2
  passive-interface Ethernet0
  passive-interface Loopback0
  network 10.0.0.0
  network 192.168.0.0
  network 192.168.1.0
  network 192.168.2.0
  network 192.168.3.0
  network 192.168.4.0
  network 192.168.5.0
  network 192.168.6.0
  network 192.168.7.0
  network 192.168.8.0
  network 192.168.10.0
  network 192.168.100.0
  ip local pool SDM_POOL_1 192.168.5.100 192.168.5.200
  ip forward-protocol nd
  ip http server
  ip http access-class 5
  ip http authentication local
  ip http secure-server
  ip nat pool NAT_IP 192.168.0.210 192.168.0.235 netmask 255.255.255.0
  ip nat inside source static tcp 192.168.4.253 5060 interface Dialer2 5060
  ip nat inside source static tcp 192.168.0.240 20408 interface Dialer2 6208
  ip nat inside source static tcp 192.168.0.240 20409 interface Dialer2 6209
  ip nat inside source static tcp 192.168.0.240 20410 interface Dialer2 6200
  ip nat inside source static tcp 192.168.1.240 20408 interface Dialer2 6218
  ip nat inside source static tcp 192.168.1.240 20409 interface Dialer2 6219
  ip nat inside source static tcp 192.168.1.240 20410 interface Dialer2 6210
  ip nat inside source static tcp 192.168.7.240 20408 interface Dialer2 6278
  ip nat inside source static tcp 192.168.7.240 20409 interface Dialer2 6279
  ip nat inside source static tcp 192.168.7.240 20410 interface Dialer2 6270
  ip nat inside source static tcp 192.168.8.240 20408 interface Dialer2 6288
  ip nat inside source static tcp 192.168.8.240 20409 interface Dialer2 6289
  ip nat inside source static tcp 192.168.8.240 20410 interface Dialer2 6280
  ip nat inside source static tcp 192.168.0.6 1723 interface Dialer2 1723
  ip nat inside source static tcp 192.168.0.6 3389 interface Dialer2 6389
  ip nat inside source static tcp 192.168.0.24 3389 interface Dialer2 6390
  ip nat inside source static tcp 192.168.4.253 8022 interface Dialer2 8022
  ip nat inside source static tcp 192.168.4.253 80 interface Dialer2 8021
  ip nat inside source static tcp 192.168.0.254 23 interface Dialer2 8023
  ip nat inside source static tcp 192.168.0.6 443 interface Dialer2 443
  ip nat inside source route-map SDM_RMAP_1 interface Dialer2 overload
  ip default-network 192.168.0.0
  ip default-network 192.168.4.0
  ip route 0.0.0.0 0.0.0.0 Dialer2 permanent
  ip route 10.1.0.0 255.255.0.0 Vlan2 permanent
  ip route 10.8.0.0 255.255.255.0 Vlan2 permanent
  ip route 192.168.0.0 255.255.255.0 Vlan1 permanent
  ip route 192.168.4.0 255.255.255.0 Vlan3 permanent
  ip route 192.168.5.0 255.255.255.0 Vlan2 permanent
  ip route 192.168.100.0 255.255.255.0 Dialer2 permanent
  ip access-list extended ACCESS_FROM_INSIDE
  permit ip object-group QQQ_Management_Group any
  permit tcp object-group QQQ_User_Group any eq smtp pop3
  permit tcp object-group QQQ_User_Group any eq 993 995
  permit tcp 192.168.0.0 0.0.0.255 any eq smtp pop3
  permit tcp 192.168.0.0 0.0.0.255 any eq 993 995
  permit ip 192.168.1.0 0.0.0.255 any
  permit ip 192.168.4.0 0.0.0.255 any
  permit ip 192.168.5.0 0.0.0.255 any
  permit ip 192.168.7.0 0.0.0.255 any
  permit ip 192.168.8.0 0.0.0.255 any
  permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 domain
  permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
  permit tcp 192.168.3.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
  permit tcp 192.168.4.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
  permit udp 192.168.2.0 0.0.0.255 any eq domain time-range QQQ_Control
  permit udp 192.168.3.0 0.0.0.255 any eq domain time-range QQQ_Control
  permit udp 192.168.4.0 0.0.0.255 any eq domain time-range QQQ_Control
  ip access-list extended ETS
  remark CCP_ACL Category=128
  permit ip host 203.219.237.252 any
  ip access-list extended ETS1
  remark CCP_ACL Category=128
  permit ip host 203.219.237.252 any
  ip access-list extended FIREWALL_EXCEPTIONS_ACL
  permit tcp any host 192.168.0.100 eq 25565
  permit tcp any eq 25565 host 192.168.0.100
  ip access-list extended QQQ_ACL
  permit ip any host 192.168.4.253
  permit udp any any eq bootps bootpc
  permit ip any 192.168.4.0 0.0.0.255
  permit ip host 203.219.237.252 any
  remark QQQ Internet Control List
  remark CCP_ACL Category=17
  remark Auto generated by CCP for NTP (123) 203.12.160.2
  permit udp host 203.12.160.2 eq ntp any eq ntp
  remark AD Services
  permit udp host 192.168.0.6 eq domain any
  remark Unrestricted Access
  permit ip object-group QQQ_Management_Group any
  remark Restricted Users
  permit object-group MAIL-PORTS object-group QQQ_User_Group any
  permit ip 192.168.0.0 0.0.0.255 any time-range QQQ_Control
  permit ip 192.168.2.0 0.0.0.255 any time-range QQQ_Control
  permit ip 192.168.3.0 0.0.0.255 any time-range QQQ_Control
  permit ip 192.168.6.0 0.0.0.255 any time-range QQQ_Control
  remark ICMP Full Access
  permit icmp object-group QQQ_User_Group any
  permit tcp 192.168.2.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
  permit tcp 192.168.3.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
  permit tcp 192.168.6.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
  permit udp 192.168.6.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
  permit tcp 192.168.0.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
  permit udp 192.168.0.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
  permit udp 192.168.2.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
  permit udp 192.168.3.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
  ip access-list extended QQQ_NAT
  remark CCP_ACL Category=18
  remark IPSec Rule
  deny   ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
  permit ip any any
  ip access-list extended SDM_AH
  remark CCP_ACL Category=1
  permit ahp any any
  ip access-list extended SDM_ESP
  remark CCP_ACL Category=1
  permit esp any any
  ip access-list extended SDM_GRE
  remark CCP_ACL Category=1
  permit gre any any
  ip access-list extended SDM_HTTP
  remark CCP_ACL Category=0
  permit tcp any any eq telnet
  ip access-list extended SDM_HTTPS
  remark CCP_ACL Category=0
  permit tcp any any eq 443
  ip access-list extended SDM_IP
  remark CCP_ACL Category=1
  permit ip any any
  ip access-list extended SIP
  remark CCP_ACL Category=128
  permit ip any 192.168.4.0 0.0.0.255
  ip access-list extended Telnet
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended dmz-traffic
  remark CCP_ACL Category=1
  permit ip any 192.168.4.0 0.0.0.255
  access-list 1 remark CCP_ACL Category=2
  access-list 1 remark QQQ_DMZ
  access-list 1 permit 192.168.4.0 0.0.0.255
  access-list 2 remark CCP_ACL Category=2
  access-list 2 remark QQQ_LAN
  access-list 2 permit 192.168.0.0 0.0.0.255
  access-list 3 remark QQQ Insid NAT
  access-list 3 remark CCP_ACL Category=2
  access-list 3 permit 192.168.0.0 0.0.0.255
  access-list 3 permit 192.168.1.0 0.0.0.255
  access-list 3 permit 192.168.2.0 0.0.0.255
  access-list 3 permit 192.168.3.0 0.0.0.255
  access-list 3 permit 192.168.4.0 0.0.0.255
  access-list 3 permit 192.168.5.0 0.0.0.255
  access-list 3 permit 192.168.6.0 0.0.0.255
  access-list 3 permit 192.168.7.0 0.0.0.255
  access-list 3 permit 192.168.8.0 0.0.0.255
  access-list 3 permit 192.168.9.0 0.0.0.255
  access-list 3 permit 192.168.10.0 0.0.0.255
  access-list 4 remark QQQ_NAT
  access-list 4 remark CCP_ACL Category=2
  access-list 4 permit 10.1.0.0 0.0.255.255
  access-list 4 permit 10.8.0.0 0.0.0.255
  access-list 4 permit 192.168.0.0 0.0.0.255
  access-list 4 permit 192.168.1.0 0.0.0.255
  access-list 4 permit 192.168.2.0 0.0.0.255
  access-list 4 permit 192.168.3.0 0.0.0.255
  access-list 4 permit 192.168.4.0 0.0.0.255
  access-list 4 permit 192.168.5.0 0.0.0.255
  access-list 4 permit 192.168.6.0 0.0.0.255
  access-list 4 permit 192.168.7.0 0.0.0.255
  access-list 4 permit 192.168.8.0 0.0.0.255
  access-list 4 permit 192.168.9.0 0.0.0.255
  access-list 4 permit 192.168.10.0 0.0.0.255
  access-list 5 remark HTTP Access-class list
  access-list 5 remark CCP_ACL Category=1
  access-list 5 permit 192.168.4.0 0.0.0.255
  access-list 5 permit 192.168.0.0 0.0.0.255
  access-list 5 deny   any
  access-list 100 remark CCP_ACL Category=128
  access-list 100 permit ip 192.168.4.0 0.0.0.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit ip host 255.255.255.255 any
  access-list 101 remark QQQ_Extended_ACL
  access-list 101 remark CCP_ACL Category=1
  access-list 101 permit tcp any host 192.168.0.254 eq 10000
  access-list 101 permit udp any host 192.168.0.254 eq non500-isakmp
  access-list 101 permit udp any host 192.168.0.254 eq isakmp
  access-list 101 permit esp any host 192.168.0.254
  access-list 101 permit ahp any host 192.168.0.254
  access-list 101 remark Auto generated by CCP for NTP (123) 203.12.160.2
  access-list 101 permit udp host 203.12.160.2 eq ntp host 192.168.4.254 eq ntp
  access-list 101 permit udp host 192.168.0.6 eq domain any
  access-list 101 remark NTP (123) 203.12.160.2
  access-list 101 permit udp host 203.12.160.2 eq ntp any eq ntp
  access-list 101 remark QQQ_ANY_Any
  access-list 101 permit ip object-group QQQ.Local any
  access-list 101 remark QQQ_DMZ
  access-list 101 permit ip any 192.168.4.0 0.0.0.255
  access-list 101 remark QQQ_GRE
  access-list 101 permit gre any any
  access-list 101 remark QQQ_Ping
  access-list 101 permit icmp any any
  access-list 102 remark CCP_ACL Category=1
  access-list 102 permit tcp any any eq 10000
  access-list 103 permit tcp any 192.168.0.0 0.0.0.255 eq 443
  access-list 103 remark CCP_ACL Category=1
  access-list 103 permit tcp any any eq 10000
  access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq 8022
  access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq telnet
  access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq www
  access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq 5060
  access-list 103 permit tcp any eq telnet host 192.168.0.254
  access-list 103 permit tcp any 192.168.0.0 0.0.0.255 eq telnet
  access-list 103 permit udp any 192.168.4.0 0.0.0.255 eq 5060
  access-list 103 permit udp any 192.168.4.0 0.0.0.255 range 10001 12000
  access-list 104 remark CCP_ACL Category=1
  access-list 104 permit tcp any any eq 10000
  access-list 105 remark CCP_ACL Category=1
  access-list 105 permit tcp any any eq 10000
  access-list 106 remark CCP_ACL Category=1
  access-list 106 permit tcp any any eq 10000
  access-list 107 remark CCP_ACL Category=1
  access-list 107 permit tcp any any eq 10000
  access-list 108 remark CCP_ACL Category=1
  access-list 108 permit tcp any any eq 10000
  access-list 109 remark CCP_ACL Category=1
  access-list 109 permit tcp any any eq 10000
  access-list 110 remark CCP_ACL Category=1
  access-list 110 permit tcp any any eq 10000
  access-list 111 remark CCP_ACL Category=1
  access-list 111 permit tcp any any eq 10000
  access-list 112 remark CCP_ACL Category=1
  access-list 112 permit tcp any any eq 10000
  access-list 113 remark CCP_ACL Category=1
  access-list 113 permit tcp any any eq 10000
  access-list 114 remark CCP_ACL Category=1
  access-list 114 permit tcp any any eq 10000
  access-list 115 remark CCP_ACL Category=1
  access-list 115 permit tcp any any eq 10000
  access-list 116 remark CCP_ACL Category=4
  access-list 116 remark IPSec Rule
  access-list 116 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
  access-list 117 remark CCP_ACL Category=128
  access-list 117 permit ip any any
  access-list 117 permit ip host 220.245.109.219 any
  access-list 118 remark CCP_ACL Category=0
  access-list 118 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255
  access-list 119 remark CCP_ACL Category=4
  access-list 119 remark IPSec Rule
  access-list 119 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
  access-list 120 remark CCP_ACL Category=0
  access-list 120 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255
  access-list 121 remark CCP_ACL Category=0
  access-list 121 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 122 remark CCP_ACL Category=0
  access-list 122 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
  dialer-list 1 protocol ip permit
  route-map SDM_RMAP_1 permit 1
  match ip address QQQ_NAT
  banner login ^CCWelcome to QQQ ADSL Gateway

  It turns out the problem had nothing to do with wires or splitters.  The Verizon tech was at my house yesterday and the ONT was failing.  He replaced part of the ONT and it fixed the problem (finally!).  At least I was able to watch the Celtics game last night.
  I have a Tellabs ONT.  Not sure the model but it's older like the ones in this thread.
  http://www.dslreports.com/forum/r19982000-Mounting-board-for-612-ONT

• Time Capsule disconnects internet when using web server through port forwarding

  My current config is: 2TB Time Capsule running 7.6.3, Mac Pro running Lion (10.7.5), MacBook Pro running Mountain Lion (10.8.3), and a couple of MacBook Pro Retinas running Mountain Lion. My current ISP is Comcast.
  I have the Time Capsule set up to port forward port 80 to the Mac Pro for the purpose of running a web server. Most of the traffic is shuttling fairly large m4v files back and forth to work (work product from video editing work). I can reach the webserver on the Mac Pro just fine from the outside world, and can list files in the directory just fine. When I initiate a download (via right click on a link, "Save As..." or whatever), the Time Capsule reports that the Internet has been disconnected, and all machines inside my network lose access to the outside world. I have to either power cycle the Time Capsule, or disconnect/reconnect the Cat-6 cable between the cable modem and the Time Capsule to re-establish the connection. Interestingly, the download continues and completes on the other end without issue (so, the connection is actually still there!).
  Before switching to Comcast, I was on AT&T Uverse - Uverse includes a router, so I had the TIme Capsule set up in Bridge Mode. That worked fine. I also have an older 500GB 1st generation Time Capsule. I set it up with the same config as my 2TB TC, and it shows the exact same behavior - internet disconnects upon initiating a file download through a forwarded port. I then hooked the Mac Pro up directly to the cable modem. I can initiate a download without issue, and I continue to stay connected to the Internet without problem. Called Comcast anyway - they report no errors on the line, but reset the whole device chain anyway. No change in behaviors.
  I tried downgrading the Time Capsule software to 7.6.2 (the earliest version that came on it). No dice, same behavior.
  So... I called Apple. Complete and utter FAIL. Apple Support reports that they have no training in the port forwarding features of the Time Capule or Airport products, and cannot help me resolve the issue because of that. So, I have a $300 router that apparently cannot perform a simple routing function (download through a forwarded port), that I cannot troubleshoot (because Airport software v7 is an epic fail in that regard), made by a company who cannot support it - and everything this $300 device is doing can be done by a $50 device with a $100 external hard drive?
  Do I understand this situation correctly? What have I missed in trying to troubleshoot this thing?

  Apple Support reports that they have no training in the port forwarding features of the Time Capule or Airport products, and cannot help me resolve the issue because of that. So, I have a $300 router that apparently cannot perform a simple routing function (download through a forwarded port), that I cannot troubleshoot (because Airport software v7 is an epic fail in that regard), made by a company who cannot support it - and everything this $300 device is doing can be done by a $50 device with a $100 external hard drive?
  Do I understand this situation correctly? What have I missed in trying to troubleshoot this thing?
  Excellent summary.. I think you have covered all the salient points most thoroughly.
  Port forwarding on the TC I would put into the category of "epic fail"
  I have a nasty feeling it just doesn't work in many cases. Clearly from your situation the port is forwarded correctly.. it is the actual download that is causing the device to crash.. which is probably not the port forwarding itself that is at fault but rather the external link and opening another port for the download to happen.
  Many of the issues were caused by using icloud and btmm.. which would work a lot better btw. Although the hassle there is needing to offer that as a service to any Tom Dick or Harry.
  Let me suggest a work around or other things to try.
  I also have an older 500GB 1st generation Time Capsule. I set it up with the same config as my 2TB TC, and it shows the exact same behavior - internet disconnects upon initiating a file download through a forwarded port.
  Use 5.6 utility.. more info below. And take the firmware of this unit (Gen1) back to 7.5.2 (before icloud mess ups in 7.6).
  You can go back to 7.5 firmware also in Gen4 TC if it is more than about 14months old.. Simply hold down the option key when you select firmware and the old versions will show up. If your TC came with 7.6.1 (the 7.6.2 was withdrawn as it was even bigger failure than 7.6.3). then you cannot go back.
  You might also find downloading via http is not as reliable as using FTP.. FTP is a better and more efficient protocol. It should be no problem to setup ftp server on the mac pro to allow download via ftp even with a browser.
  But in the end.. your $50 router suggestion.. well perhaps a little more than that.. $80-100 will work very well.. also this router can be setup with a Hard Disk and offer the files to the internet via FTP.. without needing full network access to your internal network.
  How to load 5.6 into ML.
  1. Download 5.6 for Lion.
  http://support.apple.com/kb/DL1482
  Click to open the dmg but do not attempt to install the pkg.. it won't work anyway.
  2. Download and install unpkg.
  http://www.timdoug.com/unpkg/
  Run unpkg on the desktop.. it is very simple.. drag the AirPortUtility56.pkg file over to unpkg.. and it will create a new directory of the same name on the desktop.. drill down.. applications utilities .. there lo and behold is Airport utility 5.6 .. drag it to your main utilities directory or just run it from current location.
  You cannot uninstall 6.1 (now 6.2 if you updated) so don't try.. and you cannot or should not run them both at the same time.. so just ignore the toyland version.. the plastic hammer.. and start using 5.6.. a real tool.
  For screen shots see this post.
  https://discussions.apple.com/thread/4668746?tstart=0

• How to IPsec site to site vpn port forwarding to remote site?

  Hi All,
  The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
  Below are my configure on the Cisco 877 in site A. Would you please advise the solution for that?
  Building configuration...
  Current configuration : 5425 bytes
  ! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Laverton
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  no logging buffered
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  clock timezone PCTime 10
  crypto pki trustpoint TP-self-signed-1119949081
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1119949081
  revocation-check none
  rsakeypair TP-self-signed-1119949081
  crypto pki certificate chain TP-self-signed-1119949081
  certificate self-signed 01
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    69666963 6174652D 31313139 39343930 3831301E 170D3132 30363135 30343032
    30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31313939
              quit
  dot11 syslog
  ip source-route
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.1.1 192.168.1.50
  ip dhcp pool DHCP_LAN
     network 192.168.1.0 255.255.255.0
     default-router 192.168.1.1
     dns-server 61.9.134.49
     lease infinite
  ip cef
  no ipv6 cef
  multilink bundle-name authenticated
  object-group network VPN
  description ---Port Forward to vpn Turnnel---
  host 192.168.2.99
  username admin01 privilege 15 secret 5 $1$6pJE$ngWtGp051xpSXLAizsX6B.
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key mypasswordkey address 0.0.0.0 0.0.0.0
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SDM_DYNMAP_1 1
  set transform-set ESP-3DES-SHA
  match address 100
  crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
  archive
  log config
    hidekeys
  no ip ftp passive
  interface ATM0
  description ---Telstra ADSL---
  no ip address
  no atm ilmi-keepalive
  pvc 8/35
    tx-ring-limit 3
    encapsulation aal5snap
    protocol ppp dialer
    dialer pool-member 1
  dsl operating-mode auto
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  switchport access vlan 10
  shutdown
  interface FastEthernet3
  interface Vlan1
  description ---Ethernet LAN---
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  ip tcp adjust-mss 1420
  interface Vlan10
  ip dhcp relay information trusted
  ip dhcp relay information check-reply none
  no ip dhcp client request tftp-server-address
  no ip dhcp client request netbios-nameserver
  no ip dhcp client request vendor-specific
  no ip dhcp client request static-route
  ip address dhcp
  ip nat outside
  ip virtual-reassembly
  interface Dialer0
  description ---ADSL Detail---
  ip address negotiated
  ip mtu 1460
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  ip tcp adjust-mss 1420
  dialer pool 1
  dialer-group 1
  ppp chap hostname [email protected]
  ppp chap password 0 mypassword
  crypto map SDM_CMAP_1
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer0
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip dns server
  ip nat inside source static tcp 192.168.2.99 80 interface Dialer0 8000
  ip nat inside source static tcp 192.168.2.99 9100 interface Dialer0 9100
  ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
  ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
  ip access-list extended NAT
  remark CCP_ACL Category=16
  remark IPSec Rule
  deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 any
  access-list 1 permit 192.168.1.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 101 permit ip 192.168.2.0 0.0.0.255 any
  route-map SDM_RMAP_1 permit 1
  match ip address NAT
  route-map SDM_RMAP_2 permit 1
  match ip address 101
  control-plane
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  transport input telnet ssh
  scheduler max-task-time 5000
  end
  Your help would be very appreciated!
  PS: I know it is easier if i config Site A as the VPN server but in out scenario, we need to access printer from internet over static WAN IP of site A.
  Thanks,
  Thai

  Is there anyone can help please?

• Can anyone tell me how to port forward and setup an XBOX 360 using my Time Capsule??

  Xbox 360
  When playing the game online, the minimum speed of your network should be 128kbps. The ideal network speed for playing the game online is 768kbps. If you are having a problems with lag check the following:
  Network Troubleshooting:
  Disable any firewall or security features on your router.
  Set port forwarding on your router to the IP address of your Xbox 360. This game uses port 3074 (UDP/TCP). Additionally Xbox LIVE requires ports 80, 53 TCP and 88, 53 UDP.
  Place your Xbox 360 into the DMZ of your router.
  Disconnect your router and try the game. If it works regularly at this point something about your router may not be completely compatible with the specific needs of this game. Check with your router manufacturer and Microsoft's Xbox Live Connection Issues page for additional steps that may need to be done to resolve the issue you are having. You can also verify that you have an Xbox Live compatible router.
  If you are having issues connecting while multiple Xbox 360 consoles are connected on the same network, try forwarding port 3074 (UDP/TCP) for one Xbox 360 and setting the other as DMZ. There is a chance that this may not resolve you issue,  if it doesn’t then you may want to consider getting an additional public IP address by contacting your Internet Service Provider and assigning it to one of these two consoles.
  NOTE: If setting port forwarding or DMZ helps your connection issue, you may want to assign your Xbox 360 a static IP address within your home network. This can help to ensure that the configurations you made do not need to be done again. You can visit PortForward's Static IP Guide for a detailed guide on how to do this.
  NOTE: Many broadband internet modems are coming with routing capabilities built in. Please contact your internet service provider to determine if your internet modem has an integrated router. If it does, they should be able to assist you with the steps above for setting up your router.
  Once you have verified that your network setup is not the cause of the issue, try the following:
  Try connecting to a different server. Some servers may have other players connected to them that you do not have an optimal connection with. In most games this is accomplished by backing out to the main menu and then selecting multiplayer again. From there you can try connecting to another online game.
  Run the Xbox Network Self Test to see how strong your NAT is currently set to. Once the test is completed you will be notified if there is an issue with your connection. If you select "More Info" you will be given information about your NAT type and some steps to resolve any issues with your connection.
  Moderate and Strict NAT types may have issues connecting to online matches. You may get the error "Notice - The game session is no longer available." If you do then enabling UPnP, forwarding port 3074, or placing your Xbox in your router's DMZ may resolve this issue. Please consult your router documentation for instructions on how to do this.

  ouman88 wrote:
  Whoa....this just went way over my head.... I already have 6.1 installed for my Airport Utility.
  Read again what I wrote.. 6.1 is the problem.. or part of it.
  You need to install the earlier 5.6 version which I have given you explicit instructions to do.
  I have done something now and can not connect the XBOX at all now....unless you can provide me step by step directions I may have to call Apple Support.
  This will happen over and over.. just press reset and start again.. you need to learn how to do the setup and using 5.6 utility will help you.. as will using ethernet from the computer to the TC.. trying to fix things over wireless is like sitting on a tree branch you are sawing off. As soon as you update you will fall to the ground.
  I am not that sure that Apple Support will have any idea.
  Do a google search .. you will find most people struggle with this.. Microsoft made the xbox to use upnp with vista specs.. if you use a router without upnp, ie any apple router.. you will have issues.
  Have a go at bypassing the problem.. I have no idea if this will work.. I do not use a TC as the main router because much of my network including xbox and ps3 is just a pain.. I use a modem router with upnp. And bridge the TC.. that is the setup I would recommend.
  Try this.. once you have installed 5.6 utility.
  Get the IP of the XBox and click enable default host.. and put the IP address in there.. this is called DMZ.. all unassigned packets are forwarded to this ip address.. it is like a port forwarding for all ports.
  See if it helps.. If it does you will need to lock the xbox address so it doesn't change.. we can get to that.
  Tell me what kind of broadband you have and what modem router first.. none of this will work if you have double NAT.

• How do I configure for port forwarding?

  I just relpaced my CISCO E3000 wireless router with an Apple Airport Extreme and need to set up port forwarding.  I find the Airport Utility confusing and very limited in capabilities.  How do I configure the router for Port Forwarding?

  Here's a document that you can follow:  https://discussions.apple.com/docs/DOC-3415
  However, I ran into an issue with setting this up and had to do a work-around: Custom Port Forwarding Config Not Working